Would like Signtool to use OCSP and/or check CRLs during verification



17 years ago
15 years ago


(Reporter: Arshad Noor, Assigned: Kirk Erickson)



Firefox Tracking Flags

(Not tracked)



(1 attachment)



17 years ago
We would like to have signtool use the Online Certificate Status Protocol
(OCSP) and CRL checking, when verifying signatures on a signed object.

If the certificate that corresponds to the signing key, has a CRL Distribution
Point in it, it should attempt to load the CRL defined in the CRLDP's URI and
check it for a revoked certificate.

If the certificate that corresponds to the signing key, has an Authority Info
Access extension in it, signtool should attempt to use the OCSP protocol to
make a request to the URI in the AIA extension to validate the certificate.

These two features will make signtool more robust and reliable, since it will
allow customers to verify, in "real-time" that the certificate that signed
the objects has not been revoked.

Note: If you'd like, Sun can help by providing an entire testing infrastructure
for these enhancements.  SunPKI (http://www.sun.com/pki) has established an
infrastructure that publishes CRLs, and supports an OCSP server that is
accessible over the Internet.  Thanks.

Comment 1

17 years ago
Marking NEW.
Ever confirmed: true

Comment 2

17 years ago
marking signtool bugs as future until 3.3 plan is ready.
Assignee: wtc → mcgreer
Target Milestone: --- → Future

Comment 3

17 years ago
Set Target Milestone to NSS 3.3.  Assigned the RFE to
Bob for evaluation.
Assignee: mcgreer → relyea
Priority: -- → P2
Target Milestone: Future → 3.3


16 years ago
Target Milestone: 3.3 → 3.4

Comment 4

16 years ago
Wan-Teh, This should be relatively easy (assuming CRL's and OCSP are working;),
but it's not a critical function for NSS 3.4, so I'm likely to prioritize this
low. (This would be a good candidate for someone else to pick up if we want it
in 3.4).

NOTE: half of this should already be done. CRL's should be working with
Signtools. OCSP only requires an option to turn it on.


Comment 5

16 years ago
Assigned the bug to Kirk.

I don't think this needs to be done in 3.4.  It would
be a good idea to talk to the bug reporter about the
time frame.
Assignee: relyea → kirk.erickson

Comment 6

16 years ago
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee

Comment 7

16 years ago
Set target milestone to NSS 3.5.
Target Milestone: 3.4 → 3.5


16 years ago
Target Milestone: 3.5 → 3.6

Comment 8

16 years ago
Reviewed this bug with Julien..  We need to make signtool call
CERT_EnableOCSPChecking (handle);

Using a cert with the OCSP extension we should then hit:
ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)

Stumbled across this typo:
kirke@iws-perf[51] rgrep OSCP
./mozilla/security/nss/cmd/certutil/certutil.c:1497:    fprintf(stdout, "%-25s 5
- OSCP Responder\n", "");

Should be OCSP (Online Certificate Status Protocol).
Emailed Julien, thinking he might still be touching certutil.c.


Comment 9

15 years ago
Created attachment 87149 [details] [diff] [review]
Proposed patch

Adds -O argument to signtool command line, which enables
OCSP checking by calling CERT_EnableOCSPChecking().

Comment 10

15 years ago

I've added you to the cc-list for this bug because its
your routine that needs calling.
Could you review the patch I've attached?


Comment 11

15 years ago
Comment on attachment 87149 [details] [diff] [review]
Proposed patch

looks good
Attachment #87149 - Flags: review+

Comment 12

15 years ago
Checked in patch to add -O (enable OCSP checking),
and closed.
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 13

15 years ago
Comment on attachment 87149 [details] [diff] [review]
Proposed patch


Thanks for coming up with the patch.  Some comments.

1. In this block of code, the indentation of the body of
the inner if statement is wrong:

>+	if (enableOCSP) {
>+		SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
>+		if (rv != SECSuccess) {
>+	        PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
>+	        errorCount++;
>+	        retval = -1;
>+		}
> 	}

2. In the original description of this RFE, the reporter asks
that OCSP be used if the certificate that corresponds to the
signing key has an Authority Info Access extension in it.  In
your patch, the use of OCSP is controlled by the -O option.
This is not exactly what the original RFE asks for.

3. Your patch does not check CRLs so we might want to edit
the bug's summary to reflect what actually got implemented.

Comment 14

15 years ago

I would say that it is preferable to keep OCSP an option, because some people
may be running signtool offline, or in a non-Internet network where they won't
be able to reach OCSP responders for checking. So it should not be enabled by

As far as CRLs, they should already be checked automatically if they are
installed in the cert DB, but the CRL distribution point is not handled yet.

See bugs http://bugzilla.mozilla.org/show_bug.cgi?id=133191

Comment 15

15 years ago
Please ignore my comments 2 and 3 in comment #13.  Kirk and
Julien have both responded to my questions.  Thanks.

Kirk, you just need to fix the indentation of that if statement.

Comment 16

15 years ago
I fixed the indentation shortly after seeing comment #15.
You need to log in before you can comment on or make changes to this bug.